Search form

Search

Free SSL Certificates with Let's Encrypt (Ubuntu 16)

Running a secure web site provides a better experience for anyone using your site. These days (2018), search engines also favor web sites that use SSL/HTTPS, so utilizing SSL is an important aspect of SEO. But buying a new SSL certificate every couple of years can get expensive, particularly if you run multiple web sites or if you want to buy a wildcard certificate to protect all your subdomains like mail.mywebsite.com and blog.mywebsite.com.

Fortunately, the Let's Encrypt project is offering free SSL certificates so you don't have to buy new certificates every year or two. Even better, the Let's Encrypt certbot utility largely automates certificate management -- including renewal -- so you can focus on updating your web site rather than configuring it.

Note: If you omit the 'certonly' option, certbot will download your certificate and then add the new key and certificate paths to your web site's configuration file (/etc/nginx/sites-available/www.mywebsite.com). If you use the certonly option, as above, certbot will download your new cert but leave your site config untouched. This is the method I prefer.

Step 4: Set up your web site in Nginx

Now you need to make your new private key and certificate available to Nginx. To do this, edit your web site's configuration file (/etc/nginx/sites-available/www.mywebsite.com) and set up a server block with your SSL settings. Be sure to include the paths to your new key and certificate provided by certbot above:

Step 5: Set up autorenewal

By default, certbot will run every day to check for certificates that need renewal. When a renewal happens, you want Nginx to restart, so simply edit /etc/letsencrypt/cli.ini again and add this line to the end:

renew-hook = systemctl restart nginx

Let's Encrypt certificates are "only" valid for 90 days, but since you don't have to renew them manually anymore, who cares?

The full official documentation of certbot is available at Read the Docs.